Hello. I am new to null-byte. Thank you for the people who contribute to this place. I have read some tutorials and I have find them useful and entertaining. To be honest I find me a bit shy writing this... but anyway, I think I got a problem.
I have been annoyed SO MUCH that I am finding this amusing not so much of a problem but like an exercise now.
So, basically, since 2 years ago I have been using a public wifi that the town where I live offers. Between the things that happens here there are hundred of arp attacks daily and who knows more... though my computer was not mine and was already infected by some stuff...
I have flash the bios and did a low level format of the hd, though not very intensive (multiple low level formats of 1 to 5 minutes for a total of around 30 minutes) and before and after that reinstalled the operative system too...
Even so, someone is able still to... disable the uac (you check in windows and it seems activated even though it is really deactivated), to enable the file and print sharing options, change the name of some folders like the download folder (my native language is not english but I read a lot of things in english so I did not really realize about it), change the properties of some files while beeing downloaded and etc etc. Everything very subtitle, just so that I don't really know. Well except when they started to send me subliminal messages. That part was very stubborn. Morons.
Anyway. Got some rootkits before, and a trojan apparently but after flashing the bios and formating...
I would like to know if it is normal for Svchost to send data through ports higher even than the 45000 (even as higher as 65k and through udp). Could it be symptoms of an infection? (I am either infected by a bootkit/rootkit that affected some part of my hardware or simply I get infected or hacked by people who use the public wifi). Unless the admins of the wifi are messing with me of course.
6 Responses
If you are able to run Wireshark, do so while making sure no other programs are running (to minimise the number of connections). Monitor the traffic for as long as possible. Then analyse all the IP addresses using the powerful filtering options in Wireshark.
Write down any unusual or suspicious IP addresses and use the website ip-tracker.org to see if the location of those IPs are trusted and whether they are being used by legitimate applications.
The process svchost.exe is one that is created and used by Windows services. Indeed it is suspicious that it's sending data through high-end ports, however it is harmless if the destination IP addresses belong to Microsoft (in which case I wouldn't be skeptical, since they know better than to spy on people through svchost or processes alike).
TRT
Well since port number are an unassigned short that means that they can go up until 65535. Honestly I don't think you got hack, from I read nothing really points to be hacked, all of those things could have just be problem with the OS. Do you have more concrete evidence that you were hacked?
Also, MITM can only go so far, assuming that your running a relatively modern OS, it would be hard for an attacker to completely compromise you system by just being on the same LAN.
Cheers,
Washu
Fair point. However it is the process svchost.exe itself that is causing suspicion. If the information provided to us is correct, then I would (just to be safe) suggest scanning and verifying the destination IPs before jumping to conclusions.
TRT
WASHU.... well so far I only used Windows Xp, Windows Vista and Windows 7... this only happened recently while using Windows 7 and NOW that I am using Windows 10. The more concrete evidence are the subliminal messages. There is that function of windows 10 that make like snapshots (I am talking about that service that makes snapshots and improves the performance of win, its new in win10) however I have see a) letters (not snapshots) changing colours, so it is more evident, black and red b) even a page appearing in the center of my screen for two seconds... I know it sounds really weird but like HELL I have been using computers since more than 16 years ago and that never happened that to me. I doubt it's a bug of Windows 10 and I found rootkits and a trojan before. I will learn how to use better wireshark. So far the only odd thing I have find using it, is: a website of an american bank, accesed through akamai from Brazil, and two russian websites...
I never entered into russian or brazilian websites though...
And that of the subliminal messages... the point is that I used one program of subliminal messages in the past for a while (a lot of months ago) so if someone would have infected me they could have get the idea from me.
And if they are bugs of Windows 10... it would convice me that it would be better to burn down Bill Gates and come back to XP, Vista or any other OS...
Are you using the wifi at Ron's Coffee Shop? All kidding aside, maybe it's time to change Operating System
Confirmed that something was messed up. Found in Windows/Installer a lot of files called ARPPRODUCTION.EXE. Sent them to virustotal, checked some odd processes in taskmanager, ram was at 80-98%, killed them and computer restarted. After that I could not login to the windows account and had to reinstall windows 10 AGAIN! This is like the 10º time or so... guess the person who is watching what I write right now is having a lot of laughs. Such a kid. Not that I care anymore. Though to lose a computer when I have not money to buy another is a pity.
I am even thinking that the admins of the wifi are in colaboration with the ** that is the way of my country... only rich people are able to live.
After that I can only think of making a low level format of hours, to flash the bios again and hope that the infection is not there... but I guess those who infected me or hacked me thought it very well so...
I give up...
A message to you though ** which are seeing that. I will ** eventually. You know who I am.
Share Your Thoughts